# Thread Handoff - Thread: steady-engine-0859 - UUID: 43397c43-f597-40f5-8693-a1501b8342f0 - CTF: midnight-sun-ctf-2026-quals - Challenge: speed-5 - Runtime: codex - Model: gpt-5.4-nano - Status: completed ## Transcript - **Assistant:** I’ll first inspect the provided `/challenge` files to understand what the remote service expects, then I’ll connect to `speed5.play.ctf.se:9119` and work through the interaction (including any binary/crypto logic) while logging findings and errors to the Discord webhook. - **Assistant:** Quick fix: rerunning the directory listing with safe ASCII flags, then I’ll scan the challenge files to see whether it’s source code, binaries, or notes. - **Assistant:** The challenge appears to include a single target binary (`speed5`, plus a QEMU helper for AArch64). Next I’ll inspect the binary format/strings, then run it locally under QEMU to understand the expected interaction before attacking the remote service. - **Assistant:** Next I’ll try to locate any human-readable prompts/constants inside the ARM `speed5` binary (via targeted `strings`/symbol searches). Once we know what it asks for, we can automate the local interaction and then attack the remote service. - **Assistant:** I hit a small blocker: the provided `qemu-aarch64` helper isn’t executable, so I can’t run the ARM binary directly yet. Next I’ll inspect its permissions and either invoke it via an available interpreter or adjust permissions in the safest possible way inside the workspace. - **Assistant:** I tried to make the provided `qemu-aarch64` executable, but the sandbox filesystem is read-only (so `chmod` fails). Next I’ll test network connectivity to `speed5.play.ctf.se:9119`; if network is also blocked, I’ll request escalation specifically for the minimal network interaction needed. - **Assistant:** Connection to speed5.play.ctf.se (13.60.76.107) 9119 port [tcp/*] succeeded! - **Assistant:** Network connectivity to `speed5.play.ctf.se:9119` is working now. Next I’ll grab the initial banner/output from the service (without sending yet), then we’ll inspect the protocol and start crafting an exploit/solve script. - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄██████████ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ████▀▀▀▀▀▀▀ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████▄▄▄▄▄▄ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ▀▀▀▀▀▀▀████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ▄▄▄▄▄▄▄████ [48;5;1 - **Assistant:** RAW_LEN 2622 ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄██████████ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ████▀▀▀▀▀▀▀ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████▄▄▄▄▄▄ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ▀▀▀▀▀▀▀████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ▄▄▄▄▄▄▄████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████████▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ shellcode size: - **Assistant:** The service banner is clearer now: after the ASCII art it prompts `shellcode size:`. Next I’ll read until that prompt fully completes (to see what input format it expects), then we’ll automate the rest of the interaction with a small Python client. - **Assistant:** ▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ▄▄▄▄▄▄▄████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████████▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ shellcode size: - **Assistant:** shellcode: Error executing shellcode - **Assistant:** At this point we know the remote protocol is: it asks for a numeric `shellcode size`, then it tries to execute what we provide (our `0` produced “Error executing shellcode”). Next I’ll statically analyze the local `speed5` binary for symbols/logic around “shellcode”/execution (mmap/mprotect/syscalls) so we can craft the correct payload format and architecture. - **Assistant:** Now that we’ve located key functions in the binary (`init_sandbox`, `execute_shellcode`, `load_flag`, and the `flag_region` object), the next step is to disassemble around those addresses. That should reveal: (1) how it reads shellcode from stdin (raw vs hex/base64) and (2) what memory/registers it sets up for the shellcode so we can write a working AArch64 payload. - **Assistant:** WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time INFO: Analyze all flags starting with sym. and entry0 (aa) INFO: Analyze imports (af@@@i) INFO: Analyze entrypoint (af@ entry0) INFO: Analyze symbols (af@@@s) INFO: Recovering variables (afva@@F) INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) 0x004007c0 1 48 entry0 0x004010e4 36 880 sym.__libc_start_main_impl 0x00400810 3 20 sym.call_weak_fn 0x0040049c 7 184 sym.perror_internal 0x00457a60 1 28 sym.fde_unencoded_compare 0x00457a80 10 228 sym.frame_downheap 0x00457b64 15 252 sym.version_lock_lock_exclusive 0x0045af70 6 52 sym.__aarch64_cas8_acq_rel 0x00439940 48 760 sym.__pthread_mutex_lock 0x00457c60 30 324 sym.read_encoded_value_with_base 0x00457da4 4 48 sym.fde_unencoded_extract 0x00457dd4 22 568 sym.fde_radixsort 0x00458010 7 116 sym.version_lock_unlock_exclusive 0x00458084 9 224 sym.btree_allocate_node 0x00412300 56 1044 sym.malloc 0x00458164 1 172 sym.btree_handle_root_split.part.0 0x00458210 64 1236 sym.btree_insert.isra.0 0x00400270 1 16 fcn.00400270 0x00400630 6 156 sym.btree_release_tree_recursively 0x004006d0 6 100 sym.btree_destroy 0x004586e4 23 296 sym.get_cie_encoding 0x00458810 104 1964 sym.btree_remove 0x00458fc0 15 224 sym.fde_mixed_encoding_extract 0x004590a0 52 728 sym.classify_object_over_fdes 0x00459380 7 152 sym.get_pc_range 0x00459420 9 152 sym.__deregister_frame_info_bases.part.0 0x004594c0 15 196 sym.fde_single_encoding_extract 0x00459584 10 180 sym.fde_single_encoding_compare 0x004002c0 24 472 sym.abort 0x00459640 19 268 sym.fde_mixed_encoding_compare 0x00459750 41 540 sym.add_fdes.isra.0 0x00459970 42 636 sym.linear_search_fdes 0x00400734 1 64 entry.fini1 0x00400780 1 44 entry.init0 0x0045aed0 10 148 sym.getauxval 0x00400830 4 48 sym.deregister_tm_clones 0x00400860 4 60 sym.register_tm_clones 0x004008a0 5 80 entry.fini0 0x00459f50 4 28 sym.__deregister_frame_info 0x004008f0 3 64 entry.init1 [?1000;1006;1015lERROR: Could not save history into /workspace/.cache/radare2 - **Assistant:** INFO: Recovering variables (afva@@F) INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) ; CALL XREF from main @ 0x400fa8(x) ┌ 260: sym.execute_shellcode (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg_50h); │ `- args(x0, x1, x2) vars(7:sp[0x10..0x48]) │ 0x00400aec ff4301d1 sub sp, sp, 0x50 │ 0x00400af0 fd7b04a9 stp x29, x30, [var_40h] │ 0x00400af4 fd030191 add x29, sp, 0x40 │ 0x00400af8 e00f00f9 str x0, [var_18h] ; arg1 │ 0x00400afc e11700b9 str w1, [var_14h] ; arg2 │ 0x00400b00 e20700f9 str x2, [var_8h] ; arg3 │ 0x00400b04 e00400f0 adrp x0, 0x49f000 │ 0x00400b08 002446f9 ldr x0, [x0, 0xc48] │ 0x00400b0c 010040f9 ldr x1, [x0] │ 0x00400b10 e11f00f9 str x1, [var_38h] │ 0x00400b14 010080d2 mov x1, 0 │ 0x00400b18 e01780b9 ldrsw x0, [var_14h] │ 0x00400b1c 050080d2 mov x5, 0 │ 0x00400b20 04008012 mov w4, -1 │ 0x00400b24 43048052 mov w3, 0x22 ; '\"' │ 0x00400b28 e2008052 mov w2, 7 │ 0x00400b2c e10300aa mov x1, x0 │ 0x00400b30 000080d2 mov x0, 0 │ 0x00400b34 0b610094 bl sym.__mmap ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset) │ 0x00400b38 e01700f9 str x0, [var_28h] │ 0x00400b3c e01740f9 ldr x0, [var_28h] │ 0x00400b40 1f0400b1 cmn x0, 1 │ ┌─< 0x00400b44 c1000054 b.ne 0x400b5c │ │ 0x00400b48 c00200d0 adrp x0, 0x45a000 │ │ 0x00400b4c 00e03f91 add x0, x0, 0xff8 │ │ 0x00400b50 81feff97 bl sym.perror ; void perror(const char *s) │ │ 0x00400b54 00008012 mov w0, -1 │ ┌──< 0x00400b58 19000014 b 0x400bbc │ │└─> 0x00400b5c e01780b9 ldrsw x0, [var_14h] │ │ 0x00400b60 e20300aa mov x2, x0 │ │ 0x00400b64 e10f40f9 ldr x1, [var_18h] │ │ 0x00400b68 e01740f9 ldr x0, [var_28h] │ │ 0x00400b6c c5fdff97 bl fcn.00400280 │ │ 0x00400b70 e01780b9 ldrsw x0, [var_14h] │ │ 0x00400b74 a2008052 mov w2, 5 │ │ 0x00400b78 e10300aa mov x1, x0 │ │ 0x00400b7c e01740f9 ldr x0, [var_28h] │ │ 0x00400b80 20610094 bl sym.__mprotect │ │ 0x00400b84 1f000071 cmp w0, 0 │ │┌─< 0x00400b88 c0000054 b.eq 0x400ba0 │ ││ 0x00400b8c c00200f0 adrp x0, str.mprotect ; 0x45b000 │ ││ 0x00400b90 00000091 add x0, x0, 0 │ ││ 0x00400b94 70feff97 bl sym.perror ; void perror(const char *s) │ ││ 0x00400b98 00008012 mov w0, -1 │ ┌───< 0x00400b9c 08000014 b 0x400bbc │ ││└─> 0x00400ba0 64ffff97 bl sym.init_sandbox │ ││ 0x00400ba4 e01740f9 ldr x0, [var_28h] │ ││ 0x00400ba8 e01b00f9 str x0, [var_30h] │ ││ 0x00400bac e11b40f9 ldr x1, [var_30h] │ ││ 0x00400bb0 e00740f9 ldr x0, [var_8h] │ ││ 0x00400bb4 20003fd6 blr x1 │ ││ 0x00400bb8 00008052 mov w0, 0 │ ││ ; CODE XREFS from sym.execute_shellcode @ 0x400b58(x), 0x400b9c(x) │ └└──> 0x00400bbc e103002a mov w1, w0 │ 0x00400bc0 e00400f0 adrp x0, 0x49f000 │ 0x00400bc4 002446f9 ldr x0, [x0, 0xc48] │ 0x00400bc8 e31f40f9 ldr x3, [var_38h] │ 0x00400bcc 020040f9 ldr x2, [x0] │ 0x00400bd0 630002eb subs x3, x3, x2 │ 0x00400bd4 020080d2 mov x2, 0 │ ┌─< 0x00400bd8 40000054 b.eq 0x400be0 │ │ 0x00400bdc 49640094 bl sym.__stack_chk_fail_local │ └─> 0x00400be0 e003012a mov w0, w1 │ 0x00400be4 fd7b44a9 ldp x29, x30, [var_40h] │ 0x00400be8 ff430191 add sp, sp, 0x50 └ 0x00400bec c0035fd6 ret ; CALL XREF from main @ 0x400f68(x) ┌ 560: sym.load_flag (int64_t arg_c0h); │ `- args() vars(6:sp[0x10..0xb4]) │ 0x00400bf0 ff0303d1 sub sp, sp, 0xc0 │ 0x00400bf4 fd7b0aa9 stp x29, x30, [var_a0h] │ 0x00400bf8 fd830291 add x29, sp, 0xa0 │ 0x00400bfc f35b00f9 str x19, [var_b0h] │ 0x00400c00 e00400f0 adrp x0, 0x49f000 │ 0x00400c04 002446f9 ldr x0, [x0, 0xc48] │ 0x00400c08 010040f9 ldr x1, [x0] │ 0x00400c0c e14f00f9 str x1, [var_98h] │ 0x00400c10 010080d2 mov x1, 0 │ 0x00400c14 e0630091 add x0, sp, 0x18 │ 0x00400c18 0004004f movi v0.4s, 0 │ 0x00400c1c 000000ad stp q0, q0, [x0] │ 0x00400c20 000001ad stp q0, q0, [x0, 0x20] │ 0x00400c24 000002ad stp q0, q0, [x0, 0x40] │ 0x00400c28 000003ad stp q0, q0, [x0, 0x60] │ 0x00400c2c ff0f00b9 str wzr, [var_ch] │ 0x00400c30 01008052 mov w1, 0 │ 0x00400c34 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400c38 00400091 add x0, x0, 0x10 │ 0x00400c3c 415d0094 bl sym.__open ; int open(const char *path, int oflag) │ 0x00400c40 e01700b9 str w0, [var_14h] │ 0x00400c44 e01740b9 ldr w0, [var_14h] │ 0x00400c48 1f000071 cmp w0, 0 │ 0x00400c4c ca000054 b.ge 0x400c64 │ 0x00400c50 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400c54 00800091 add x0, x0, 0x20 │ 0x00400c58 3ffeff97 bl sym.perror ; void perror(const char *s) │ 0x00400c5c 00008012 mov w0, -1 │ 0x00400c60 62000014 b 0x400de8 │ 0x00400c64 820080d2 mov x2, 4 │ 0x00400c68 000500b0 adrp x0, 0x4a1000 │ 0x00400c6c 01002991 add x1, x0, 0xa40 │ 0x00400c70 e01740b9 ldr w0, [var_14h] │ 0x00400c74 8b5d0094 bl sym.__read ; ssize_t read(int fildes, void *buf, size_t nbyte) │ 0x00400c78 000500b0 adrp x0, 0x4a1000 │ 0x00400c7c 00002991 add x0, x0, 0xa40 │ 0x00400c80 000040b9 ldr w0, [x0] │ 0x00400c84 6b040094 bl sym.__srandom ; uint32_t srandom(uint32_t seed) │ 0x00400c88 e01740b9 ldr w0, [var_14h] │ 0x00400c8c 715c0094 bl sym.__libc_close ; int close(int fildes) │ 0x00400c90 01008052 mov w1, 0 │ 0x00400c94 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400c98 00a00091 add x0, x0, 0x28 │ 0x00400c9c 295d0094 bl sym.__open ; int open(const char *path, int oflag) │ 0x00400ca0 e01700b9 str w0, [var_14h] │ 0x00400ca4 e01740b9 ldr w0, [var_14h] │ 0x00400ca8 1f000071 cmp w0, 0 │ 0x00400cac ca000054 b.ge 0x400cc4 │ 0x00400cb0 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400cb4 00c00091 add x0, x0, 0x30 │ 0x00400cb8 27feff97 bl sym.perror ; void perror(const char *s) │ 0x00400cbc 00008012 mov w0, -1 │ 0x00400cc0 4a000014 b 0x400de8 │ 0x00400cc4 e0630091 add x0, sp, 0x18 │ 0x00400cc8 021080d2 mov x2, 0x80 │ 0x00400ccc e10300aa mov x1, x0 │ 0x00400cd0 e01740b9 ldr w0, [var_14h] │ 0x00400cd4 735d0094 bl sym.__read ; ssize_t read(int fildes, void *buf, size_t nbyte) │ 0x00400cd8 e01740b9 ldr w0, [var_14h] │ 0x00400cdc 5d5c0094 bl sym.__libc_close ; int close(int fildes) │ 0x00400ce0 050080d2 mov x5, 0 │ 0x00400ce4 04008012 mov w4, -1 │ 0x00400ce8 43048052 mov w3, 0x22 ; '\"' │ 0x00400cec e2008052 mov w2, 7 │ 0x00400cf0 0110a0d2 mov x1, 0x800000 │ 0x00400cf4 000080d2 mov x0, 0 │ 0x00400cf8 9a600094 bl sym.__mmap ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset) │ 0x00400cfc e10300aa mov x1, x0 │ 0x00400d00 000500b0 adrp x0, 0x4a1000 │ 0x00400d04 00e02891 add x0, x0, 0xa38 │ 0x00400d08 010000f9 str x1, [x0] │ 0x00400d0c 000500b0 adrp x0, 0x4a1000 │ 0x00400d10 00e02891 add x0, x0, 0xa38 │ 0x00400d14 000040f9 ldr x0, [x0] │ 0x00400d18 1f0400b1 cmn x0, 1 │ 0x00400d1c c1000054 b.ne 0x400d34 │ 0x00400d20 c00200d0 adrp x0, 0x45a000 │ 0x00400d24 00e03f91 add x0, x0, 0xff8 │ 0x00400d28 0bfeff97 bl sym.perror ; void perror(const char *s) │ 0x00400d2c 00008012 mov w0, -1 │ 0x00400d30 2e000014 b 0x400de8 │ 0x00400d34 ff0f00b9 str wzr, [var_ch] │ 0x00400d38 22000014 b 0x400dc0 │ 0x00400d3c 35040094 bl sym.rand ; int rand(void) │ 0x00400d40 e103006b negs w1, w0 │ 0x00400d44 00580012 and w0, w0, 0x7fffff │ 0x00400d48 21580012 and w1, w1, 0x7fffff │ 0x00400d4c 0044815a csneg w0, w0, w1, mi │ 0x00400d50 e01300b9 str w0, [var_ch] │ 0x00400d54 07000014 b 0x400d70 │ 0x00400d58 2e040094 bl sym.rand ; int rand(void) │ 0x00400d5c e103006b negs w1, w0 │ 0x00400d60 00580012 and w0, w0, 0x7fffff │ 0x00400d64 21580012 and w1, w1, 0x7fffff │ 0x00400d68 0044815a csneg w0, w0, w1, mi │ 0x00400d6c e01300b9 str w0, [var_ch] │ ; CODE XREF from sym.load_flag @ 0x400d54(x) │ 0x00400d70 000500b0 adrp x0, 0x4a1000 │ 0x00400d74 00e02891 add x0, x0, 0xa38 │ 0x00400d78 010040f9 ldr x1, [x0] │ 0x00400d7c e01380b9 ldrsw x0, [var_ch] │ 0x00400d80 2000008b add x0, x1, x0 │ 0x00400d84 00004039 ldrb w0, [x0] │ 0x00400d88 1f000071 cmp w0, 0 │ 0x00400d8c 61feff54 b.ne 0x400d58 │ 0x00400d90 000500b0 adrp x0, 0x4a1000 │ 0x00400d94 00e02891 add x0, x0, 0xa38 │ 0x00400d98 010040f9 ldr x1, [x0] │ 0x00400d9c e01380b9 ldrsw x0, [var_ch] │ 0x00400da0 2000008b add x0, x1, x0 │ 0x00400da4 e10f80b9 ldrsw x1, [var_ch] │ 0x00400da8 e2630091 add x2, sp, 0x18 │ 0x00400dac 41686138 ldrb w1, [x2, x1] │ 0x00400db0 01000039 strb w1, [x0] │ 0x00400db4 e00f40b9 ldr w0, [var_ch] │ 0x00400db8 00040011 add w0, w0, 1 │ 0x00400dbc e00f00b9 str w0, [var_ch] │ ; CODE XREF from sym.load_flag @ 0x400d38(x) │ 0x00400dc0 f30f80b9 ldrsw x19, [var_ch] │ 0x00400dc4 e0630091 add x0, sp, 0x18 │ 0x00400dc8 3afdff97 bl fcn.004002b0 │ 0x00400dcc 7f0200eb cmp x19, x0 │ 0x00400dd0 63fbff54 b.lo 0x400d3c │ 0x00400dd4 e0630091 add x0, sp, 0x18 │ 0x00400dd8 021080d2 mov x2, 0x80 │ 0x00400ddc 01008052 mov w1, 0 │ 0x00400de0 30fdff97 bl fcn.004002a0 │ 0x00400de4 00008052 mov w0, 0 [?1000;1006;1015lERROR: Could not save history into /workspace/.cache/radare2 - **Assistant:** INFO: Recovering variables (afva@@F) INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) ┌ 480: int main (int argc, char **argv); │ `- args(x0, x1) vars(7:sp[0x18..0x440]) │ 0x00400e20 fd7bbfa9 stp x29, x30, [sp, -0x10]! │ 0x00400e24 fd030091 mov x29, sp │ 0x00400e28 ffc310d1 sub sp, sp, 0x430 │ 0x00400e2c ff0302f9 str xzr, [var_400h] │ 0x00400e30 e00f00b9 str w0, [var_ch] ; argc │ 0x00400e34 e10300f9 str x1, [sp] ; argv │ 0x00400e38 e00400f0 adrp x0, 0x49f000 │ 0x00400e3c 002446f9 ldr x0, [x0, 0xc48] │ 0x00400e40 010040f9 ldr x1, [x0] │ 0x00400e44 e11702f9 str x1, [var_428h] │ 0x00400e48 010080d2 mov x1, 0 │ 0x00400e4c e0a30091 add x0, sp, 0x28 │ 0x00400e50 018080d2 mov x1, 0x400 │ 0x00400e54 e20301aa mov x2, x1 │ 0x00400e58 01008052 mov w1, 0 │ 0x00400e5c 11fdff97 bl fcn.004002a0 │ 0x00400e60 e00400f0 adrp x0, 0x49f000 │ 0x00400e64 00f846f9 ldr x0, [x0, 0xdf0] │ 0x00400e68 000040f9 ldr x0, [x0] │ 0x00400e6c 030080d2 mov x3, 0 │ 0x00400e70 42008052 mov w2, 2 │ 0x00400e74 010080d2 mov x1, 0 │ 0x00400e78 661c0094 bl sym.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size) │ 0x00400e7c e00400f0 adrp x0, 0x49f000 │ 0x00400e80 001c46f9 ldr x0, [x0, 0xc38] │ 0x00400e84 000040f9 ldr x0, [x0] │ 0x00400e88 030080d2 mov x3, 0 │ 0x00400e8c 42008052 mov w2, 2 │ 0x00400e90 010080d2 mov x1, 0 │ 0x00400e94 5f1c0094 bl sym.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size) │ 0x00400e98 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400e9c 00000191 add x0, x0, 0x40 │ 0x00400ea0 c81b0094 bl sym.puts ; int puts(const char *s) │ 0x00400ea4 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400ea8 00c02991 add x0, x0, 0xa70 │ 0x00400eac b1070094 bl sym.__printf ; int printf(const char *format) │ 0x00400eb0 f5feff97 bl sym.read_int_4 │ 0x00400eb4 007c4093 sxtw x0, w0 │ 0x00400eb8 e01300f9 str x0, [var_20h] │ 0x00400ebc e01340f9 ldr x0, [var_20h] │ 0x00400ec0 1f0010f1 cmp x0, 0x400 │ ┌─< 0x00400ec4 c9000054 b.ls 0x400edc │ │ 0x00400ec8 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ │ 0x00400ecc 00202a91 add x0, x0, 0xa88 │ │ 0x00400ed0 bc1b0094 bl sym.puts ; int puts(const char *s) │ │ 0x00400ed4 20008052 mov w0, 1 │ ┌──< 0x00400ed8 3d000014 b 0x400fcc │ │└─> 0x00400edc c00200f0 adrp x0, str.mprotect ; 0x45b000 │ │ 0x00400ee0 00c02a91 add x0, x0, 0xab0 │ │ 0x00400ee4 a3070094 bl sym.__printf ; int printf(const char *format) │ │ 0x00400ee8 e00400f0 adrp x0, 0x49f000 │ │ 0x00400eec 00f846f9 ldr x0, [x0, 0xdf0] │ │ 0x00400ef0 010040f9 ldr x1, [x0] │ │ 0x00400ef4 e0a30091 add x0, sp, 0x28 │ │ 0x00400ef8 e30301aa mov x3, x1 │ │ 0x00400efc e21340f9 ldr x2, [var_20h] │ │ 0x00400f00 210080d2 mov x1, 1 │ │ 0x00400f04 371b0094 bl sym._IO_fread │ │ 0x00400f08 ff0f00f9 str xzr, [var_18h] │ │┌─< 0x00400f0c 13000014 b 0x400f58 │ ││ 0x00400f10 e00f40f9 ldr x0, [var_18h] │ ││ 0x00400f14 e1a30091 add x1, sp, 0x28 │ ││ 0x00400f18 20686038 ldrb w0, [x1, x0] │ ││ 0x00400f1c 1f500371 cmp w0, 0xd4 │ ││ 0x00400f20 61010054 b.ne 0x400f4c │ ││ 0x00400f24 e00f40f9 ldr x0, [var_18h] │ ││ 0x00400f28 e1a30091 add x1, sp, 0x28 │ ││ 0x00400f2c 20686038 ldrb w0, [x1, x0] │ ││ 0x00400f30 e20f40f9 ldr x2, [var_18h] │ ││ 0x00400f34 e103002a mov w1, w0 │ ││ 0x00400f38 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ ││ 0x00400f3c 00002b91 add x0, x0, 0xac0 │ ││ 0x00400f40 8c070094 bl sym.__printf ; int printf(const char *format) │ ││ 0x00400f44 20008052 mov w0, 1 │ ││ 0x00400f48 21000014 b 0x400fcc │ ││ 0x00400f4c e00f40f9 ldr x0, [var_18h] │ ││ 0x00400f50 00040091 add x0, x0, 1 │ ││ 0x00400f54 e00f00f9 str x0, [var_18h] │ ││ ; CODE XREF from main @ 0x400f0c(x) │ │└─> 0x00400f58 e10f40f9 ldr x1, [var_18h] │ │ 0x00400f5c e01340f9 ldr x0, [var_20h] │ │ 0x00400f60 3f0000eb cmp x1, x0 │ │ 0x00400f64 63fdff54 b.lo 0x400f10 │ │ 0x00400f68 22ffff97 bl sym.load_flag │ │ 0x00400f6c 1f000071 cmp w0, 0 │ │ 0x00400f70 c0000054 b.eq 0x400f88 │ │ 0x00400f74 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ │ 0x00400f78 00e02b91 add x0, x0, 0xaf8 │ │ 0x00400f7c 911b0094 bl sym.puts ; int puts(const char *s) │ │ 0x00400f80 20008052 mov w0, 1 │ │ 0x00400f84 12000014 b 0x400fcc │ │ 0x00400f88 e01340f9 ldr x0, [var_20h] │ │ 0x00400f8c e303002a mov w3, w0 │ │ 0x00400f90 000500b0 adrp x0, 0x4a1000 │ │ 0x00400f94 00e02891 add x0, x0, 0xa38 │ │ 0x00400f98 010040f9 ldr x1, [x0] │ │ 0x00400f9c e0a30091 add x0, sp, 0x28 │ │ 0x00400fa0 e20301aa mov x2, x1 │ │ 0x00400fa4 e103032a mov w1, w3 │ │ 0x00400fa8 d1feff97 bl sym.execute_shellcode │ │ 0x00400fac 1f000071 cmp w0, 0 │ │ 0x00400fb0 c0000054 b.eq 0x400fc8 │ │ 0x00400fb4 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ │ 0x00400fb8 00402c91 add x0, x0, 0xb10 │ │ 0x00400fbc 811b0094 bl sym.puts ; int puts(const char *s) │ │ 0x00400fc0 20008052 mov w0, 1 │ │ 0x00400fc4 02000014 b 0x400fcc │ │ 0x00400fc8 00008052 mov w0, 0 │ │ ; CODE XREFS from main @ 0x400ed8(x), 0x400f48(x), 0x400f84(x), 0x400fc4(x) │ └──> 0x00400fcc e103002a mov w1, w0 │ 0x00400fd0 e00400f0 adrp x0, 0x49f000 │ 0x00400fd4 002446f9 ldr x0, [x0, 0xc48] │ 0x00400fd8 e31742f9 ldr x3, [var_428h] │ 0x00400fdc 020040f9 ldr x2, [x0] │ 0x00400fe0 630002eb subs x3, x3, x2 │ 0x00400fe4 020080d2 mov x2, 0 │ 0x00400fe8 40000054 b.eq 0x400ff0 │ 0x00400fec 45630094 bl sym.__stack_chk_fail_local │ 0x00400ff0 e003012a mov w0, w1 │ 0x00400ff4 ffc31091 add sp, sp, 0x430 │ 0x00400ff8 fd7bc1a8 ldp x29, x30, [sp], 0x10 └ 0x00400ffc c0035fd6 ret ; DATA XREF from sym.__libc_start_main_impl @ 0x40137c(r) ┌ 76: sym.call_fini (); │ afv: vars(1:sp[0x10..0x10]) │ 0x00401000 fd7bbea9 stp x29, x30, [sp, -0x20]! │ 0x00401004 c00400d0 adrp x0, 0x49b000 │ 0x00401008 00002f91 add x0, x0, 0xbc0 │ 0x0040100c fd030091 mov x29, sp │ 0x00401010 f35301a9 stp x19, x20, [var_10h] │ 0x00401014 d30400d0 adrp x19, 0x49b000 │ 0x00401018 73422f91 add x19, x19, 0xbd0 │ 0x0040101c 730200cb sub x19, x19, x0 │ 0x00401020 73fe4393 asr x19, x19, 3 │ 0x00401024 f30000b4 cbz x19, 0x401040 │ 0x00401028 d40400d0 adrp x20, 0x49b000 │ 0x0040102c 94e22e91 add x20, x20, 0xbb8 │ 0x00401030 807a73f8 ldr x0, [x20, x19, lsl 3] │ 0x00401034 00003fd6 blr x0 │ 0x00401038 730600f1 subs x19, x19, 1 │ 0x0040103c a1ffff54 b.ne 0x401030 │ 0x00401040 f35341a9 ldp x19, x20, [var_10h] │ 0x00401044 fd7bc2a8 ldp x29, x30, [sp], 0x20 └ 0x00401048 e5670114 b sym._fini 0x0040104c 1f2003d5 nop ; CALL XREF from sym.__libc_start_main_impl @ 0x401448(x) ┌ 148: sym.__libc_start_call_main (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg_e8h); │ `- args(x0, x1, x2, sp[0xe8..0xe8]) vars(4:sp[0xe0..0xf8]) │ 0x00401050 fd7bafa9 stp x29, x30, [sp, -0x110]! │ 0x00401054 fd030091 mov x29, sp │ 0x00401058 e00f00f9 str x0, [var_18h] ; arg1 │ 0x0040105c e0c30091 add x0, sp, 0x30 │ 0x00401060 e12700b9 str w1, [var_24h] ; arg2 │ 0x00401064 e21700f9 str x2, [var_28h] ; arg3 │ 0x00401068 f6010094 bl sym._setjmp ; int setjmp(jmpbuf env) │ 0x0040106c 00020035 cbnz w0, 0x4010ac │ 0x00401070 40d03bd5 mrs x0, tpidr_el0 │ 0x00401074 210500b0 adrp x1, 0x4a6000 │ 0x00401078 030018d1 sub x3, x0, 0x600 │ 0x0040107c 00001dd1 sub x0, x0, 0x740 │ 0x00401080 22d443f9 ldr x2, [x1, 0x7a8] │ 0x00401084 e1c30091 add x1, sp, 0x30 │ 0x00401088 6080db3c ldur q0, [x3, -0x48] │ 0x0040108c 018000f9 str x1, [x0, 0x100] │ 0x00401090 e30f40f9 ldr x3, [var_18h] │ 0x00401094 e11740f9 ldr x1, [var_28h] │ 0x00401098 0040006e ext v0.16b, v0.16b, v0.16b, 8 │ 0x0040109c e02740b9 ldr w0, [var_24h] │ 0x004010a0 e0838e3c stur q0, [arg_e8h] │ 0x004010a4 60003fd6 blr x3 │ 0x004010a8 52030094 bl sym.exit ; void exit(int status) │ 0x004010ac b1320094 bl sym.__nptl_deallocate_tsd │ 0x004010b0 e10400f0 adrp x1, 0x4a0000 │ 0x004010b4 00008012 mov w0, -1 │ 0x004010b8 21001a91 add x1, x1, 0x680 │ 0x004010bc 414c0194 bl sym.__aarch64_ldadd4_relax │ 0x004010c0 1f040071 cmp w0, 1 │ 0x004010c4 c0000054 b.eq 0x4010dc │ 0x004010c8 a80b80d2 mov x8, 0x5d ; ']' │ 0x004010cc 1f2003d5 nop │ ; CODE XREF from sym.__libc_start_call_main @ 0x4010d8(x) │ 0x004010d0 000080d2 mov x0, 0 │ 0x004010d4 010000d4 svc 0 │ 0x004010d8 feffff17 b 0x4010d0 │ 0x004010dc 00008052 mov w0, 0 └ 0x004010e0 44030094 bl sym.exit ; void exit(int status) ; CALL XREF from entry0 @ 0x4007ec(x) ┌ 880: sym.__libc_start_main_impl (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5); // noreturn │ `- args(x0, x1, x2, x5, x6) vars(9:sp[0x8..0x80]) │ 0x004010e4 fd7bb7a9 stp x29, x30, [sp, -0x90]! │ 0x004010e8 fd030091 mov x29, sp │ 0x004010ec f35301a9 stp x19, x20, [var_10h] │ 0x004010f0 f303012a mov w19, w1 ; arg2 │ 0x004010f4 e10400d0 adrp x1, 0x49f000 │ 0x004010f8 f96b04a9 stp x25, x26, [var_40h] │ 0x004010fc 3a0500b0 adrp x26, 0x4a6000 │ 0x00401100 f40302aa mov x20, x2 ; arg3 │ 0x00401104 e01706a9 stp x0, x5, [var_60h] ; arg6 [?1000;1006;1015lERROR: Could not save history into /workspace/.cache/radare2 - **Assistant:** INFO: Recovering variables (afva@@F) INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) [?1000;1006;1015lERROR: Could not save history into /workspace/.cache/radare2 ; CALL XREF from sym.execute_shellcode @ 0x400ba0(x) ┌ 92: sym.init_sandbox (unsigned long v3, unsigned long v4, unsigned long v5, int64_t arg_20h); │ `- args(x2, x3, x4) vars(2:sp[0x10..0x18]) │ 0x00400930 ff8300d1 sub sp, sp, 0x20 │ 0x00400934 fd7b01a9 stp x29, x30, [var_10h] │ 0x00400938 fd430091 add x29, sp, 0x10 │ 0x0040093c e00400f0 adrp x0, 0x49f000 │ 0x00400940 002446f9 ldr x0, [x0, 0xc48] │ 0x00400944 010040f9 ldr x1, [x0] │ 0x00400948 e10700f9 str x1, [var_8h] │ 0x0040094c 010080d2 mov x1, 0 │ 0x00400950 00678252 mov w0, 0x1338 ; '8\x13' │ 0x00400954 1b620094 bl sym.prctl ; int prctl(int option, unsigned long v2, unsigned long v3, unsigned long v4, unsigned long v5) │ 0x00400958 e103002a mov w1, w0 │ 0x0040095c e00400f0 adrp x0, 0x49f000 │ 0x00400960 002446f9 ldr x0, [x0, 0xc48] │ 0x00400964 e30740f9 ldr x3, [var_8h] │ 0x00400968 020040f9 ldr x2, [x0] │ 0x0040096c 630002eb subs x3, x3, x2 │ 0x00400970 020080d2 mov x2, 0 │ ┌─< 0x00400974 40000054 b.eq 0x40097c │ │ 0x00400978 e2640094 bl sym.__stack_chk_fail_local │ └─> 0x0040097c e003012a mov w0, w1 │ 0x00400980 fd7b41a9 ldp x29, x30, [var_10h] │ 0x00400984 ff830091 add sp, sp, 0x20 └ 0x00400988 c0035fd6 ret ; CALL XREF from sym.read_int_4 @ 0x400aac(x) ┌ 248: sym.read_until (int64_t arg1, int64_t arg2, int64_t arg_40h); │ `- args(x0, x1) vars(6:sp[0x10..0x40]) │ 0x0040098c ff0301d1 sub sp, sp, 0x40 │ 0x00400990 fd7b03a9 stp x29, x30, [var_30h] │ 0x00400994 fdc30091 add x29, sp, 0x30 │ 0x00400998 e00700f9 str x0, [var_8h] ; arg1 │ 0x0040099c e10300f9 str x1, [sp] ; arg2 │ 0x004009a0 e00400f0 adrp x0, 0x49f000 │ 0x004009a4 002446f9 ldr x0, [x0, 0xc48] │ 0x004009a8 010040f9 ldr x1, [x0] │ 0x004009ac e11700f9 str x1, [var_28h] │ 0x004009b0 010080d2 mov x1, 0 │ 0x004009b4 ff1300f9 str xzr, [var_20h] │ 0x004009b8 ff1300f9 str xzr, [var_20h] │ ┌─< 0x004009bc 1b000014 b 0x400a28 │ │ 0x004009c0 ff7f0039 strb wzr, [var_1fh] │ │ 0x004009c4 e07f0091 add x0, sp, 0x1f │ │ 0x004009c8 220080d2 mov x2, 1 │ │ 0x004009cc e10300aa mov x1, x0 │ │ 0x004009d0 00008052 mov w0, 0 │ │ 0x004009d4 335e0094 bl sym.__read ; ssize_t read(int fildes, void *buf, size_t nbyte) │ │ 0x004009d8 e07f4039 ldrb w0, [var_1fh] │ │ 0x004009dc 1f340071 cmp w0, 0xd │ ┌──< 0x004009e0 80000054 b.eq 0x4009f0 │ ││ 0x004009e4 e07f4039 ldrb w0, [var_1fh] │ ││ 0x004009e8 1f280071 cmp w0, 0xa │ ┌───< 0x004009ec e1000054 b.ne 0x400a08 │ │└──> 0x004009f0 e10740f9 ldr x1, [var_8h] │ │ │ 0x004009f4 e01340f9 ldr x0, [var_20h] │ │ │ 0x004009f8 2000008b add x0, x1, x0 │ │ │ 0x004009fc e17f4039 ldrb w1, [var_1fh] │ │ │ 0x00400a00 01000039 strb w1, [x0] │ │┌──< 0x00400a04 0e000014 b 0x400a3c │ └───> 0x00400a08 e10740f9 ldr x1, [var_8h] │ ││ 0x00400a0c e01340f9 ldr x0, [var_20h] │ ││ 0x00400a10 2000008b add x0, x1, x0 │ ││ 0x00400a14 e17f4039 ldrb w1, [var_1fh] │ ││ 0x00400a18 01000039 strb w1, [x0] │ ││ 0x00400a1c e01340f9 ldr x0, [var_20h] │ ││ 0x00400a20 00040091 add x0, x0, 1 │ ││ 0x00400a24 e01300f9 str x0, [var_20h] │ ││ ; CODE XREF from sym.read_until @ 0x4009bc(x) │ │└─> 0x00400a28 e00340f9 ldr x0, [sp] │ │ 0x00400a2c 000400d1 sub x0, x0, 1 │ │ 0x00400a30 e11340f9 ldr x1, [var_20h] │ │ 0x00400a34 3f0000eb cmp x1, x0 │ │ 0x00400a38 43fcff54 b.lo 0x4009c0 │ │ ; CODE XREF from sym.read_until @ 0x400a04(x) │ └──> 0x00400a3c e10740f9 ldr x1, [var_8h] │ 0x00400a40 e01340f9 ldr x0, [var_20h] │ 0x00400a44 2000008b add x0, x1, x0 │ 0x00400a48 1f000039 strb wzr, [x0] │ 0x00400a4c e01340f9 ldr x0, [var_20h] │ 0x00400a50 e103002a mov w1, w0 │ 0x00400a54 e00400f0 adrp x0, 0x49f000 │ 0x00400a58 002446f9 ldr x0, [x0, 0xc48] │ 0x00400a5c e31740f9 ldr x3, [var_28h] │ 0x00400a60 020040f9 ldr x2, [x0] │ 0x00400a64 630002eb subs x3, x3, x2 │ 0x00400a68 020080d2 mov x2, 0 │ 0x00400a6c 40000054 b.eq 0x400a74 │ 0x00400a70 a4640094 bl sym.__stack_chk_fail_local │ 0x00400a74 e003012a mov w0, w1 │ 0x00400a78 fd7b43a9 ldp x29, x30, [var_30h] │ 0x00400a7c ff030191 add sp, sp, 0x40 └ 0x00400a80 c0035fd6 ret ; CALL XREF from main @ 0x400eb0(x) ┌ 104: sym.read_int_4 (int64_t arg_a0h); │ `- args() vars(3:sp[0x10..0x98]) │ 0x00400a84 ff8302d1 sub sp, sp, 0xa0 │ 0x00400a88 fd7b09a9 stp x29, x30, [var_90h] │ 0x00400a8c fd430291 add x29, sp, 0x90 │ 0x00400a90 e00400f0 adrp x0, 0x49f000 │ 0x00400a94 002446f9 ldr x0, [x0, 0xc48] │ 0x00400a98 010040f9 ldr x1, [x0] │ 0x00400a9c e14700f9 str x1, [var_88h] │ 0x00400aa0 010080d2 mov x1, 0 │ 0x00400aa4 e0230091 add x0, sp, 8 │ 0x00400aa8 011080d2 mov x1, 0x80 │ 0x00400aac b8ffff97 bl sym.read_until │ 0x00400ab0 e0230091 add x0, sp, 8 │ 0x00400ab4 ab030094 bl sym.atoi ; int atoi(const char *str) │ 0x00400ab8 e103002a mov w1, w0 │ 0x00400abc e00400f0 adrp x0, 0x49f000 │ 0x00400ac0 002446f9 ldr x0, [x0, 0xc48] │ 0x00400ac4 e34740f9 ldr x3, [var_88h] │ 0x00400ac8 020040f9 ldr x2, [x0] │ 0x00400acc 630002eb subs x3, x3, x2 │ 0x00400ad0 020080d2 mov x2, 0 │ 0x00400ad4 40000054 b.eq 0x400adc │ 0x00400ad8 8a640094 bl sym.__stack_chk_fail_local │ 0x00400adc e003012a mov w0, w1 │ 0x00400ae0 fd7b49a9 ldp x29, x30, [var_90h] │ 0x00400ae4 ff830291 add sp, sp, 0xa0 └ 0x00400ae8 c0035fd6 ret ; CALL XREF from main @ 0x400fa8(x) ┌ 260: sym.execute_shellcode (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg_50h); │ `- args(x0, x1, x2) vars(7:sp[0x10..0x48]) │ 0x00400aec ff4301d1 sub sp, sp, 0x50 │ 0x00400af0 fd7b04a9 stp x29, x30, [var_40h] │ 0x00400af4 fd030191 add x29, sp, 0x40 │ 0x00400af8 e00f00f9 str x0, [var_18h] ; arg1 │ 0x00400afc e11700b9 str w1, [var_14h] ; arg2 │ 0x00400b00 e20700f9 str x2, [var_8h] ; arg3 │ 0x00400b04 e00400f0 adrp x0, 0x49f000 │ 0x00400b08 002446f9 ldr x0, [x0, 0xc48] │ 0x00400b0c 010040f9 ldr x1, [x0] │ 0x00400b10 e11f00f9 str x1, [var_38h] │ 0x00400b14 010080d2 mov x1, 0 │ 0x00400b18 e01780b9 ldrsw x0, [var_14h] │ 0x00400b1c 050080d2 mov x5, 0 │ 0x00400b20 04008012 mov w4, -1 │ 0x00400b24 43048052 mov w3, 0x22 ; '\"' │ 0x00400b28 e2008052 mov w2, 7 │ 0x00400b2c e10300aa mov x1, x0 │ 0x00400b30 000080d2 mov x0, 0 │ 0x00400b34 0b610094 bl sym.__mmap ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset) │ 0x00400b38 e01700f9 str x0, [var_28h] │ 0x00400b3c e01740f9 ldr x0, [var_28h] │ 0x00400b40 1f0400b1 cmn x0, 1 │ 0x00400b44 c1000054 b.ne 0x400b5c │ 0x00400b48 c00200d0 adrp x0, 0x45a000 │ 0x00400b4c 00e03f91 add x0, x0, 0xff8 │ 0x00400b50 81feff97 bl sym.perror ; void perror(const char *s) │ 0x00400b54 00008012 mov w0, -1 │ 0x00400b58 19000014 b 0x400bbc │ 0x00400b5c e01780b9 ldrsw x0, [var_14h] │ 0x00400b60 e20300aa mov x2, x0 │ 0x00400b64 e10f40f9 ldr x1, [var_18h] │ 0x00400b68 e01740f9 ldr x0, [var_28h] │ 0x00400b6c c5fdff97 bl fcn.00400280 │ 0x00400b70 e01780b9 ldrsw x0, [var_14h] │ 0x00400b74 a2008052 mov w2, 5 │ 0x00400b78 e10300aa mov x1, x0 │ 0x00400b7c e01740f9 ldr x0, [var_28h] │ 0x00400b80 20610094 bl sym.__mprotect │ 0x00400b84 1f000071 cmp w0, 0 │ 0x00400b88 c0000054 b.eq 0x400ba0 │ 0x00400b8c c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400b90 00000091 add x0, x0, 0 │ 0x00400b94 70feff97 bl sym.perror ; void perror(const char *s) │ 0x00400b98 00008012 mov w0, -1 │ 0x00400b9c 08000014 b 0x400bbc │ 0x00400ba0 64ffff97 bl sym.init_sandbox │ 0x00400ba4 e01740f9 ldr x0, [var_28h] │ 0x00400ba8 e01b00f9 str x0, [var_30h] │ 0x00400bac e11b40f9 ldr x1, [var_30h] │ 0x00400bb0 e00740f9 ldr x0, [var_8h] │ 0x00400bb4 20003fd6 blr x1 │ 0x00400bb8 00008052 mov w0, 0 │ ; CODE XREFS from sym.execute_shellcode @ 0x400b58(x), 0x400b9c(x) │ 0x00400bbc e103002a mov w1, w0 │ 0x00400bc0 e00400f0 adrp x0, 0x49f000 │ 0x00400bc4 002446f9 ldr x0, [x0, 0xc48] │ 0x00400bc8 e31f40f9 ldr x3, [var_38h] │ 0x00400bcc 020040f9 ldr x2, [x0] │ 0x00400bd0 630002eb subs x3, x3, x2 │ 0x00400bd4 020080d2 mov x2, 0 │ 0x00400bd8 40000054 b.eq 0x400be0 │ 0x00400bdc 49640094 bl sym.__stack_chk_fail_local │ 0x00400be0 e003012a mov w0, w1 │ 0x00400be4 fd7b44a9 ldp x29, x30, [var_40h] │ 0x00400be8 ff430191 add sp, sp, 0x50 └ 0x00400bec c0035fd6 ret ; CALL XREF from main @ 0x400f68(x) ┌ 560: sym.load_flag (int64_t arg_c0h); │ `- args() vars(6:sp[0x10..0xb4]) │ 0x00400bf0 ff0303d1 sub sp, sp, 0xc0 │ 0x00400bf4 fd7b0aa9 stp x29, x30, [var_a0h] │ 0x00400bf8 fd830291 add x29, sp, 0xa0 │ 0x00400bfc f35b00f9 str x19, [var_b0h] │ 0x00400c00 e00400f0 adrp x0, 0x49f000 │ 0x00400c04 002446f9 ldr x0, [x0, 0xc48] │ 0x00400c08 010040f9 ldr x1, [x0] │ 0x00400c0c e14f00f9 str x1, [var_98h] │ 0x00400c10 010080d2 mov x1, 0 │ 0x00400c14 e0630091 add x0, sp, 0x18 │ 0x00400c18 0004004f movi v0.4s, 0 │ 0x00400c1c 000000ad stp q0, q0, [x0] │ 0x00400c20 000001ad stp q0, q0, [x0, 0x20] │ 0x00400c24 000002ad stp q0, q0, [x0, 0x40] │ 0x00400c28 000003ad stp q0, q0, [x0, 0x60] │ 0x00400c2c ff0f00b9 str wzr, [var_ch] │ 0x00400c30 01008052 mov w1, 0 │ 0x00400c34 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400c38 00400091 add x0, x0, 0x10 │ 0x00400c3c 415d0094 bl sym.__open ; int open(const char *path, int oflag) │ 0x00400c40 e01700b9 str w0, [var_14h] │ 0x00400c44 e01740b9 ldr w0, [var_14h] │ 0x00400c48 1f000071 cmp w0, 0 │ 0x00400c4c ca000054 b.ge 0x400c64 -- We are surrounded by the enemy. - Excellent, we can attack in any direction!  [0x00400930]> [0x00400930]>  - **Assistant:** We have full protocol details from the ARM `speed5` binary: it reads an integer `shellcode size` (max `0x400`), then reads that many bytes, rejects any byte equal to `0xd4`, maps them executable, calls `init_sandbox`, and finally executes the shellcode with `x0` pointing to the in-memory `flag_region`. Next I’ll identify exactly what `init_sandbox` does (seccomp/prctl behavior) and then craft an AArch64 shellcode that only uses allowed syscalls to print the flag. - **Assistant:** INFO: Analyze symbols (af@@@s) INFO: Recovering variables (afva@@F) INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) ; CALL XREF from main @ 0x400f68(x) ┌ 560: sym.load_flag (int64_t arg_c0h); │ `- args() vars(6:sp[0x10..0xb4]) │ 0x00400bf0 ff0303d1 sub sp, sp, 0xc0 │ 0x00400bf4 fd7b0aa9 stp x29, x30, [var_a0h] │ 0x00400bf8 fd830291 add x29, sp, 0xa0 │ 0x00400bfc f35b00f9 str x19, [var_b0h] │ 0x00400c00 e00400f0 adrp x0, 0x49f000 │ 0x00400c04 002446f9 ldr x0, [x0, 0xc48] │ 0x00400c08 010040f9 ldr x1, [x0] │ 0x00400c0c e14f00f9 str x1, [var_98h] │ 0x00400c10 010080d2 mov x1, 0 │ 0x00400c14 e0630091 add x0, sp, 0x18 │ 0x00400c18 0004004f movi v0.4s, 0 │ 0x00400c1c 000000ad stp q0, q0, [x0] │ 0x00400c20 000001ad stp q0, q0, [x0, 0x20] │ 0x00400c24 000002ad stp q0, q0, [x0, 0x40] │ 0x00400c28 000003ad stp q0, q0, [x0, 0x60] │ 0x00400c2c ff0f00b9 str wzr, [var_ch] │ 0x00400c30 01008052 mov w1, 0 │ 0x00400c34 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400c38 00400091 add x0, x0, 0x10 │ 0x00400c3c 415d0094 bl sym.__open ; int open(const char *path, int oflag) │ 0x00400c40 e01700b9 str w0, [var_14h] │ 0x00400c44 e01740b9 ldr w0, [var_14h] │ 0x00400c48 1f000071 cmp w0, 0 │ ┌─< 0x00400c4c ca000054 b.ge 0x400c64 │ │ 0x00400c50 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ │ 0x00400c54 00800091 add x0, x0, 0x20 │ │ 0x00400c58 3ffeff97 bl sym.perror ; void perror(const char *s) │ │ 0x00400c5c 00008012 mov w0, -1 │ ┌──< 0x00400c60 62000014 b 0x400de8 │ │└─> 0x00400c64 820080d2 mov x2, 4 │ │ 0x00400c68 000500b0 adrp x0, 0x4a1000 │ │ 0x00400c6c 01002991 add x1, x0, 0xa40 │ │ 0x00400c70 e01740b9 ldr w0, [var_14h] │ │ 0x00400c74 8b5d0094 bl sym.__read ; ssize_t read(int fildes, void *buf, size_t nbyte) │ │ 0x00400c78 000500b0 adrp x0, 0x4a1000 │ │ 0x00400c7c 00002991 add x0, x0, 0xa40 │ │ 0x00400c80 000040b9 ldr w0, [x0] │ │ 0x00400c84 6b040094 bl sym.__srandom ; uint32_t srandom(uint32_t seed) │ │ 0x00400c88 e01740b9 ldr w0, [var_14h] │ │ 0x00400c8c 715c0094 bl sym.__libc_close ; int close(int fildes) │ │ 0x00400c90 01008052 mov w1, 0 │ │ 0x00400c94 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ │ 0x00400c98 00a00091 add x0, x0, 0x28 │ │ 0x00400c9c 295d0094 bl sym.__open ; int open(const char *path, int oflag) │ │ 0x00400ca0 e01700b9 str w0, [var_14h] │ │ 0x00400ca4 e01740b9 ldr w0, [var_14h] │ │ 0x00400ca8 1f000071 cmp w0, 0 │ │┌─< 0x00400cac ca000054 b.ge 0x400cc4 │ ││ 0x00400cb0 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ ││ 0x00400cb4 00c00091 add x0, x0, 0x30 │ ││ 0x00400cb8 27feff97 bl sym.perror ; void perror(const char *s) │ ││ 0x00400cbc 00008012 mov w0, -1 │ ┌───< 0x00400cc0 4a000014 b 0x400de8 │ ││└─> 0x00400cc4 e0630091 add x0, sp, 0x18 │ ││ 0x00400cc8 021080d2 mov x2, 0x80 │ ││ 0x00400ccc e10300aa mov x1, x0 │ ││ 0x00400cd0 e01740b9 ldr w0, [var_14h] │ ││ 0x00400cd4 735d0094 bl sym.__read ; ssize_t read(int fildes, void *buf, size_t nbyte) │ ││ 0x00400cd8 e01740b9 ldr w0, [var_14h] │ ││ 0x00400cdc 5d5c0094 bl sym.__libc_close ; int close(int fildes) │ ││ 0x00400ce0 050080d2 mov x5, 0 │ ││ 0x00400ce4 04008012 mov w4, -1 │ ││ 0x00400ce8 43048052 mov w3, 0x22 ; '\"' │ ││ 0x00400cec e2008052 mov w2, 7 │ ││ 0x00400cf0 0110a0d2 mov x1, 0x800000 │ ││ 0x00400cf4 000080d2 mov x0, 0 │ ││ 0x00400cf8 9a600094 bl sym.__mmap ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset) │ ││ 0x00400cfc e10300aa mov x1, x0 │ ││ 0x00400d00 000500b0 adrp x0, 0x4a1000 │ ││ 0x00400d04 00e02891 add x0, x0, 0xa38 │ ││ 0x00400d08 010000f9 str x1, [x0] │ ││ 0x00400d0c 000500b0 adrp x0, 0x4a1000 │ ││ 0x00400d10 00e02891 add x0, x0, 0xa38 │ ││ 0x00400d14 000040f9 ldr x0, [x0] │ ││ 0x00400d18 1f0400b1 cmn x0, 1 │ ││ 0x00400d1c c1000054 b.ne 0x400d34 │ ││ 0x00400d20 c00200d0 adrp x0, 0x45a000 │ ││ 0x00400d24 00e03f91 add x0, x0, 0xff8 │ ││ 0x00400d28 0bfeff97 bl sym.perror ; void perror(const char *s) │ ││ 0x00400d2c 00008012 mov w0, -1 │ ││ 0x00400d30 2e000014 b 0x400de8 │ ││ 0x00400d34 ff0f00b9 str wzr, [var_ch] │ ││ 0x00400d38 22000014 b 0x400dc0 │ ││ 0x00400d3c 35040094 bl sym.rand ; int rand(void) │ ││ 0x00400d40 e103006b negs w1, w0 │ ││ 0x00400d44 00580012 and w0, w0, 0x7fffff │ ││ 0x00400d48 21580012 and w1, w1, 0x7fffff │ ││ 0x00400d4c 0044815a csneg w0, w0, w1, mi │ ││ 0x00400d50 e01300b9 str w0, [var_ch] │ ││ 0x00400d54 07000014 b 0x400d70 │ ││ 0x00400d58 2e040094 bl sym.rand ; int rand(void) │ ││ 0x00400d5c e103006b negs w1, w0 │ ││ 0x00400d60 00580012 and w0, w0, 0x7fffff │ ││ 0x00400d64 21580012 and w1, w1, 0x7fffff │ ││ 0x00400d68 0044815a csneg w0, w0, w1, mi │ ││ 0x00400d6c e01300b9 str w0, [var_ch] │ ││ ; CODE XREF from sym.load_flag @ 0x400d54(x) │ ││ 0x00400d70 000500b0 adrp x0, 0x4a1000 │ ││ 0x00400d74 00e02891 add x0, x0, 0xa38 │ ││ 0x00400d78 010040f9 ldr x1, [x0] │ ││ 0x00400d7c e01380b9 ldrsw x0, [var_ch] │ ││ 0x00400d80 2000008b add x0, x1, x0 │ ││ 0x00400d84 00004039 ldrb w0, [x0] │ ││ 0x00400d88 1f000071 cmp w0, 0 │ ││ 0x00400d8c 61feff54 b.ne 0x400d58 │ ││ 0x00400d90 000500b0 adrp x0, 0x4a1000 │ ││ 0x00400d94 00e02891 add x0, x0, 0xa38 │ ││ 0x00400d98 010040f9 ldr x1, [x0] │ ││ 0x00400d9c e01380b9 ldrsw x0, [var_ch] │ ││ 0x00400da0 2000008b add x0, x1, x0 │ ││ 0x00400da4 e10f80b9 ldrsw x1, [var_ch] │ ││ 0x00400da8 e2630091 add x2, sp, 0x18 │ ││ 0x00400dac 41686138 ldrb w1, [x2, x1] │ ││ 0x00400db0 01000039 strb w1, [x0] │ ││ 0x00400db4 e00f40b9 ldr w0, [var_ch] │ ││ 0x00400db8 00040011 add w0, w0, 1 │ ││ 0x00400dbc e00f00b9 str w0, [var_ch] │ ││ ; CODE XREF from sym.load_flag @ 0x400d38(x) │ ││ 0x00400dc0 f30f80b9 ldrsw x19, [var_ch] │ ││ 0x00400dc4 e0630091 add x0, sp, 0x18 │ ││ 0x00400dc8 3afdff97 bl fcn.004002b0 │ ││ 0x00400dcc 7f0200eb cmp x19, x0 │ ││ 0x00400dd0 63fbff54 b.lo 0x400d3c │ ││ 0x00400dd4 e0630091 add x0, sp, 0x18 │ ││ 0x00400dd8 021080d2 mov x2, 0x80 │ ││ 0x00400ddc 01008052 mov w1, 0 │ ││ 0x00400de0 30fdff97 bl fcn.004002a0 │ ││ 0x00400de4 00008052 mov w0, 0 │ ││ ; CODE XREFS from sym.load_flag @ 0x400c60(x), 0x400cc0(x), 0x400d30(x) │ └└──> 0x00400de8 e103002a mov w1, w0 │ 0x00400dec e00400f0 adrp x0, 0x49f000 │ 0x00400df0 002446f9 ldr x0, [x0, 0xc48] │ 0x00400df4 e34f40f9 ldr x3, [var_98h] │ 0x00400df8 020040f9 ldr x2, [x0] │ 0x00400dfc 630002eb subs x3, x3, x2 │ 0x00400e00 020080d2 mov x2, 0 │ 0x00400e04 40000054 b.eq 0x400e0c │ 0x00400e08 be630094 bl sym.__stack_chk_fail_local │ 0x00400e0c e003012a mov w0, w1 │ 0x00400e10 f35b40f9 ldr x19, [var_b0h] │ 0x00400e14 fd7b4aa9 ldp x29, x30, [var_a0h] │ 0x00400e18 ff030391 add sp, sp, 0xc0 └ 0x00400e1c c0035fd6 ret ┌ 480: int main (int argc, char **argv); │ `- args(x0, x1) vars(7:sp[0x18..0x440]) │ 0x00400e20 fd7bbfa9 stp x29, x30, [sp, -0x10]! │ 0x00400e24 fd030091 mov x29, sp │ 0x00400e28 ffc310d1 sub sp, sp, 0x430 │ 0x00400e2c ff0302f9 str xzr, [var_400h] │ 0x00400e30 e00f00b9 str w0, [var_ch] ; argc │ 0x00400e34 e10300f9 str x1, [sp] ; argv │ 0x00400e38 e00400f0 adrp x0, 0x49f000 │ 0x00400e3c 002446f9 ldr x0, [x0, 0xc48] │ 0x00400e40 010040f9 ldr x1, [x0] │ 0x00400e44 e11702f9 str x1, [var_428h] │ 0x00400e48 010080d2 mov x1, 0 │ 0x00400e4c e0a30091 add x0, sp, 0x28 │ 0x00400e50 018080d2 mov x1, 0x400 │ 0x00400e54 e20301aa mov x2, x1 │ 0x00400e58 01008052 mov w1, 0 │ 0x00400e5c 11fdff97 bl fcn.004002a0 │ 0x00400e60 e00400f0 adrp x0, 0x49f000 │ 0x00400e64 00f846f9 ldr x0, [x0, 0xdf0] │ 0x00400e68 000040f9 ldr x0, [x0] │ 0x00400e6c 030080d2 mov x3, 0 │ 0x00400e70 42008052 mov w2, 2 │ 0x00400e74 010080d2 mov x1, 0 │ 0x00400e78 661c0094 bl sym.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size) │ 0x00400e7c e00400f0 adrp x0, 0x49f000 │ 0x00400e80 001c46f9 ldr x0, [x0, 0xc38] │ 0x00400e84 000040f9 ldr x0, [x0] │ 0x00400e88 030080d2 mov x3, 0 │ 0x00400e8c 42008052 mov w2, 2 │ 0x00400e90 010080d2 mov x1, 0 │ 0x00400e94 5f1c0094 bl sym.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size) │ 0x00400e98 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400e9c 00000191 add x0, x0, 0x40 │ 0x00400ea0 c81b0094 bl sym.puts ; int puts(const char *s) │ 0x00400ea4 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400ea8 00c02991 add x0, x0, 0xa70 │ 0x00400eac b1070094 bl sym.__printf ; int printf(const char *format) │ 0x00400eb0 f5feff97 bl sym.read_int_4 │ 0x00400eb4 007c4093 sxtw x0, w0 │ 0x00400eb8 e01300f9 str x0, [var_20h] │ 0x00400ebc e01340f9 ldr x0, [var_20h] │ 0x00400ec0 1f0010f1 cmp x0, 0x400 │ 0x00400ec4 c9000054 b.ls 0x400edc │ 0x00400ec8 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400ecc 00202a91 add x0, x0, 0xa88 │ 0x00400ed0 bc1b0094 bl sym.puts ; int puts(const char *s) │ 0x00400ed4 20008052 mov w0, 1 │ 0x00400ed8 3d000014 b 0x400fcc │ 0x00400edc c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400ee0 00c02a91 add x0, x0, 0xab0 │ 0x00400ee4 a3070094 bl sym.__printf ; int printf(const char *format) │ 0x00400ee8 e00400f0 adrp x0, 0x49f000 │ 0x00400eec 00f846f9 ldr x0, [x0, 0xdf0] │ 0x00400ef0 010040f9 ldr x1, [x0] │ 0x00400ef4 e0a30091 add x0, sp, 0x28 │ 0x00400ef8 e30301aa mov x3, x1 │ 0x00400efc e21340f9 ldr x2, [var_20h] │ 0x00400f00 210080d2 mov x1, 1 │ 0x00400f04 371b0094 bl sym._IO_fread │ 0x00400f08 ff0f00f9 str xzr, [var_18h] │ 0x00400f0c 13000014 b 0x400f58 │ 0x00400f10 e00f40f9 ldr x0, [var_18h] │ 0x00400f14 e1a30091 add x1, sp, 0x28 │ 0x00400f18 20686038 ldrb w0, [x1, x0] │ 0x00400f1c 1f500371 cmp w0, 0xd4 │ 0x00400f20 61010054 b.ne 0x400f4c │ 0x00400f24 e00f40f9 ldr x0, [var_18h] │ 0x00400f28 e1a30091 add x1, sp, 0x28 │ 0x00400f2c 20686038 ldrb w0, [x1, x0] │ 0x00400f30 e20f40f9 ldr x2, [var_18h] │ 0x00400f34 e103002a mov w1, w0 │ 0x00400f38 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400f3c 00002b91 add x0, x0, 0xac0 │ 0x00400f40 8c070094 bl sym.__printf ; int printf(const char *format) │ 0x00400f44 20008052 mov w0, 1 │ 0x00400f48 21000014 b 0x400fcc │ 0x00400f4c e00f40f9 ldr x0, [var_18h] │ 0x00400f50 00040091 add x0, x0, 1 │ 0x00400f54 e00f00f9 str x0, [var_18h] │ ; CODE XREF from main @ 0x400f0c(x) │ 0x00400f58 e10f40f9 ldr x1, [var_18h] │ 0x00400f5c e01340f9 ldr x0, [var_20h] │ 0x00400f60 3f0000eb cmp x1, x0 │ 0x00400f64 63fdff54 b.lo 0x400f10 │ 0x00400f68 22ffff97 bl sym.load_flag │ 0x00400f6c 1f000071 cmp w0, 0 │ 0x00400f70 c0000054 b.eq 0x400f88 │ 0x00400f74 c00200f0 adrp x0, str.mprotect ; 0x45b000 │ 0x00400f78 00e02b91 add x0, x0, 0xaf8 │ 0x00400f7c 911b0094 bl sym.puts ; int puts(const char *s) │ 0x00400f80 20008052 mov w0, 1 │ 0x00400f84 12000014 b 0x400fcc │ 0x00400f88 e01340f9 ldr x0, [var_20h] [?1000;1006;1015lERROR: Could not save history into /workspace/.cache/radare2 - **Assistant:** WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time 0x004002a0 10050090 adrp x16, 0x4a0000 0x004002a4 110e40f9 ldr x17, [x16, 0x18] 0x004002a8 10620091 add x16, x16, 0x18 0x004002ac 20021fd6 br x17 0x004002b0 10050090 adrp x16, 0x4a0000 0x004002b4 111240f9 ldr x17, [x16, 0x20] 0x004002b8 10820091 add x16, x16, 0x20 0x004002bc 20021fd6 br x17 ;-- section..text: ;-- abort: 0x004002c0 ff4303d1 sub sp, sp, 0xd0 ; [06] -r-x section size 371996 named .text 0x004002c4 e00400f0 adrp x0, 0x49f000 0x004002c8 002446f9 ldr x0, [x0, 0xc48] 0x004002cc fd7b0aa9 stp x29, x30, [sp, 0xa0] 0x004002d0 fd830291 add x29, sp, 0xa0 0x004002d4 f3530ba9 stp x19, x20, [sp, 0xb0] 0x004002d8 130500d0 adrp x19, 0x4a2000 0x004002dc 54d03bd5 mrs x20, tpidr_el0 0x004002e0 f56300f9 str x21, [sp, 0xc0] 0x004002e4 75a20a91 add x21, x19, 0x2a8 0x004002e8 94021dd1 sub x20, x20, 0x740 0x004002ec 020040f9 ldr x2, [x0] 0x004002f0 e24f00f9 str x2, [sp, 0x98] 0x004002f4 020080d2 mov x2, 0 0x004002f8 a10640f9 ldr x1, [x21, 8] 0x004002fc 3f0014eb cmp x1, x20 ┌─< 0x00400300 40010054 b.eq 0x400328 │ 0x00400304 e20315aa mov x2, x21 │ 0x00400308 21008052 mov w1, 1 │ 0x0040030c 00008052 mov w0, 0 │ 0x00400310 604f0194 bl sym.__aarch64_cas4_acq ┌──< 0x00400314 60000034 cbz w0, 0x400320 ││ 0x00400318 e00315aa mov x0, x21 ││ 0x0040031c c5350094 bl sym.__lll_lock_wait_private └──> 0x00400320 60a20a91 add x0, x19, 0x2a8 │ 0x00400324 140400f9 str x20, [x0, 8] └─> 0x00400328 64a20a91 add x4, x19, 0x2a8 0x0040032c 800440b9 ldr w0, [x4, 4] 0x00400330 811040b9 ldr w1, [x4, 0x10] 0x00400334 00040011 add w0, w0, 1 0x00400338 800400b9 str w0, [x4, 4] ┌─< 0x0040033c 61010035 cbnz w1, 0x400368 │ 0x00400340 25008052 mov w5, 1 │ 0x00400344 060480d2 mov x6, 0x20 │ 0x00400348 200080d2 mov x0, 1 │ 0x0040034c e1030091 mov x1, sp │ 0x00400350 020080d2 mov x2, 0 │ 0x00400354 030180d2 mov x3, 8 │ 0x00400358 e81080d2 mov x8, 0x87 │ 0x0040035c e60300f9 str x6, [sp] │ 0x00400360 851000b9 str w5, [x4, 0x10] │ 0x00400364 010000d4 svc 0 └─> 0x00400368 75a20a91 add x21, x19, 0x2a8 0x0040036c a01240b9 ldr w0, [x21, 0x10] 0x00400370 1f040071 cmp w0, 1 ┌─< 0x00400374 21040054 b.ne 0x4003f8 │ 0x00400378 a00640b9 ldr w0, [x21, 4] │ 0x0040037c bf1200b9 str wzr, [x21, 0x10] │ 0x00400380 00040051 sub w0, w0, 1 │ 0x00400384 a00600b9 str w0, [x21, 4] ┌──< 0x00400388 00010035 cbnz w0, 0x4003a8 ││ 0x0040038c e10315aa mov x1, x21 ││ 0x00400390 bf0600f9 str xzr, [x21, 8] ││ 0x00400394 eb4f0194 bl sym.__aarch64_swp4_rel ││ 0x00400398 1f040071 cmp w0, 1 ┌───< 0x0040039c 6d000054 b.le 0x4003a8 │││ 0x004003a0 e00315aa mov x0, x21 │││ 0x004003a4 df350094 bl sym.__lll_lock_wake_private └└──> 0x004003a8 75a20a91 add x21, x19, 0x2a8 │ 0x004003ac c0008052 mov w0, 6 │ 0x004003b0 c4ab0094 bl sym.gsignal │ 0x004003b4 a00640f9 ldr x0, [x21, 8] │ 0x004003b8 9f0200eb cmp x20, x0 │ 0x004003bc 40010054 b.eq 0x4003e4 │ 0x004003c0 e20315aa mov x2, x21 │ 0x004003c4 21008052 mov w1, 1 │ 0x004003c8 00008052 mov w0, 0 │ 0x004003cc 314f0194 bl sym.__aarch64_cas4_acq │ 0x004003d0 60000034 cbz w0, 0x4003dc │ 0x004003d4 e00315aa mov x0, x21 │ 0x004003d8 96350094 bl sym.__lll_lock_wait_private │ 0x004003dc 60a20a91 add x0, x19, 0x2a8 - **Assistant:** dpkg-query: no path found matching pattern *bin/aarch64*linux*-as* [ERROR] Could not find 'as' installed for ContextType(arch = 'aarch64', bits = 64, endian = 'little') Try installing binutils for this architecture: https://docs.pwntools.com/en/stable/install/binutils.html Traceback (most recent call last): File "", line 2, in File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/context/__init__.py", line 1716, in setter return function(*a, **kw) ^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 794, in asm assembler = _assembler() ^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 253, in _assembler gas, version = which_binutils('as', check_version=True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/context/__init__.py", line 1716, in setter return function(*a, **kw) ^^^^^^^^^^^^^^^^^^ File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 248, in which_binutils print_binutils_instructions(util, context) File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/asm.py", line 136, in print_binutils_instructions log.error(""" File "/opt/ctf-venv/lib/python3.12/site-packages/pwnlib/log.py", line 439, in error raise PwnlibException(message % args) pwnlib.exception.PwnlibException: Could not find 'as' installed for ContextType(arch = 'aarch64', bits = 64, endian = 'little') Try installing binutils for this architecture: https://docs.pwntools.com/en/stable/install/binutils.html - **Assistant:** To craft the actual AArch64 shellcode bytes (the service reads raw bytes and rejects any `0xd4` byte), I need an assembler toolchain for AArch64 in this container. Next I’ll check what assembler options are available (e.g., `llvm-mc`, `clang`, or other), and then use it to generate payload bytes we can send to the remote process. - **Assistant:** Before I craft the shellcode bytes, I need a way to generate/inspect ARM64 instruction encodings. Since the filesystem is read-only via shell commands, I’m going to test whether the `apply_patch` tool can still write small temp files in `/workspace`; if not, I’ll switch to a fully in-memory approach (assembling via stdout and extracting bytes). - **Assistant:** Next I’ll test an in-memory AArch64 assembly pipeline: use `clang` to assemble a tiny AArch64 snippet and emit the resulting object to stdout (then base64-encode it). This will confirm we can generate real ARM64 machine code bytes without needing any filesystem writes (which are blocked in this sandbox). - **Assistant:** I’m going to inspect the binary’s own `rand`/`srandom` implementations. If they’re simple (e.g., an LCG), we can reimplement them directly in shellcode and avoid risky function calls; if they’re more complex, we’ll instead call the existing `rand()`/`srandom()` from shellcode. - **Assistant:** INFO: Recovering variables (afva@@F) INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) ; CALL XREFS from sym.load_flag @ 0x400d3c(x), 0x400d58(x) ┌ 20: int sym.rand (); │ 0x00401e10 fd7bbfa9 stp x29, x30, [sp, -0x10]! │ 0x00401e14 fd030091 mov x29, sp │ 0x00401e18 86000094 bl sym.random ; uint32_t random(void) │ 0x00401e1c fd7bc1a8 ldp x29, x30, [sp], 0x10 └ 0x00401e20 c0035fd6 ret 0x00401e24 1f2003d5 nop 0x00401e28 1f2003d5 nop 0x00401e2c 1f2003d5 nop ; CALL XREF from sym.load_flag @ 0x400c84(x) ┌ 136: uint32_t sym.__srandom (uint32_t seed); │ `- args(x0) vars(2:sp[0x10..0x20]) │ 0x00401e30 fd7bbda9 stp x29, x30, [sp, -0x30]! │ 0x00401e34 21008052 mov w1, 1 │ 0x00401e38 fd030091 mov x29, sp │ 0x00401e3c f35301a9 stp x19, x20, [var_10h] │ 0x00401e40 130500b0 adrp x19, 0x4a2000 │ 0x00401e44 f403002a mov w20, w0 ; seed │ 0x00401e48 f51300f9 str x21, [var_20h] │ 0x00401e4c 75b21b91 add x21, x19, 0x6ec │ 0x00401e50 e20315aa mov x2, x21 │ 0x00401e54 00008052 mov w0, 0 │ 0x00401e58 8e480194 bl sym.__aarch64_cas4_acq │ ┌─< 0x00401e5c e0010035 cbnz w0, 0x401e98 │ │ ; CODE XREF from sym.__srandom @ 0x401ea0(x) │ ┌──> 0x00401e60 e003142a mov w0, w20 │ ╎│ 0x00401e64 73b21b91 add x19, x19, 0x6ec │ ╎│ 0x00401e68 e10400f0 adrp x1, 0x4a0000 │ ╎│ 0x00401e6c 21400391 add x1, x1, 0xd0 │ ╎│ 0x00401e70 a0000094 bl sym.srandom_r │ ╎│ 0x00401e74 e10313aa mov x1, x19 │ ╎│ 0x00401e78 00008052 mov w0, 0 │ ╎│ 0x00401e7c 31490194 bl sym.__aarch64_swp4_rel │ ╎│ 0x00401e80 1f040071 cmp w0, 1 │ ┌───< 0x00401e84 0c010054 b.gt 0x401ea4 │ │╎│ 0x00401e88 f35341a9 ldp x19, x20, [var_10h] │ │╎│ 0x00401e8c f51340f9 ldr x21, [var_20h] │ │╎│ 0x00401e90 fd7bc3a8 ldp x29, x30, [sp], 0x30 │ │╎│ 0x00401e94 c0035fd6 ret │ │╎└─> 0x00401e98 e00315aa mov x0, x21 │ │╎ 0x00401e9c e52e0094 bl sym.__lll_lock_wait_private │ │└──< 0x00401ea0 f0ffff17 b 0x401e60 │ └───> 0x00401ea4 f51340f9 ldr x21, [var_20h] │ 0x00401ea8 e00313aa mov x0, x19 │ 0x00401eac f35341a9 ldp x19, x20, [var_10h] │ 0x00401eb0 fd7bc3a8 ldp x29, x30, [sp], 0x30 └ ┌─< 0x00401eb4 1b2f0014 b sym.__lll_lock_wake_private │ 0x00401eb8 1f2003d5 nop │ 0x00401ebc 1f2003d5 nop ┌ 196: char *sym.__initstate (uint32_t seed, char *state, size_t size); │ `- args(x0, x1, x2) vars(3:sp[0x10..0x30]) │ │ 0x00401ec0 fd7bbca9 stp x29, x30, [sp, -0x40]! │ │ 0x00401ec4 fd030091 mov x29, sp │ │ 0x00401ec8 f35301a9 stp x19, x20, [var_10h] │ │ 0x00401ecc 130500b0 adrp x19, 0x4a2000 │ │ 0x00401ed0 f403002a mov w20, w0 ; seed │ │ 0x00401ed4 f71b00f9 str x23, [var_30h] │ │ 0x00401ed8 77b21b91 add x23, x19, 0x6ec │ │ 0x00401edc 00008052 mov w0, 0 │ │ 0x00401ee0 f55b02a9 stp x21, x22, [var_20h] │ │ 0x00401ee4 f50301aa mov x21, x1 ; state │ │ 0x00401ee8 f60302aa mov x22, x2 ; size │ │ 0x00401eec 21008052 mov w1, 1 │ │ 0x00401ef0 e20317aa mov x2, x23 │ │ 0x00401ef4 67480194 bl sym.__aarch64_cas4_acq │ ┌──< 0x00401ef8 e0020035 cbnz w0, 0x401f54 │ ││ ; CODE XREF from sym.__initstate @ 0x401f5c(x) │ ││ 0x00401efc e30400f0 adrp x3, 0x4a0000 │ ││ 0x00401f00 63400391 add x3, x3, 0xd0 │ ││ 0x00401f04 e003142a mov w0, w20 │ ││ 0x00401f08 e20316aa mov x2, x22 │ ││ 0x00401f0c e10315aa mov x1, x21 │ ││ 0x00401f10 73b21b91 add x19, x19, 0x6ec │ ││ 0x00401f14 740840f9 ldr x20, [x3, 0x10] │ ││ 0x00401f18 ce000094 bl sym.__initstate_r │ ││ 0x00401f1c e10313aa mov x1, x19 │ ││ 0x00401f20 f503002a mov w21, w0 │ ││ 0x00401f24 941200d1 sub x20, x20, 4 │ ││ 0x00401f28 00008052 mov w0, 0 │ ││ 0x00401f2c 05490194 bl sym.__aarch64_swp4_rel │ ││ 0x00401f30 1f040071 cmp w0, 1 │ ││ 0x00401f34 6c010054 b.gt 0x401f60 │ ││ 0x00401f38 bf060031 cmn w21, 1 │ ││ 0x00401f3c f55b42a9 ldp x21, x22, [var_20h] │ ││ 0x00401f40 80129f9a csel x0, x20, xzr, ne │ ││ 0x00401f44 f35341a9 ldp x19, x20, [var_10h] │ ││ 0x00401f48 f71b40f9 ldr x23, [var_30h] │ ││ 0x00401f4c fd7bc4a8 ldp x29, x30, [sp], 0x40 │ ││ 0x00401f50 c0035fd6 ret │ └──> 0x00401f54 e00317aa mov x0, x23 │ │ 0x00401f58 b62e0094 bl sym.__lll_lock_wait_private │ │ 0x00401f5c e8ffff17 b 0x401efc │ │ 0x00401f60 e00313aa mov x0, x19 │ │ 0x00401f64 ef2e0094 bl sym.__lll_lock_wake_private │ │ 0x00401f68 bf060031 cmn w21, 1 │ │ 0x00401f6c f55b42a9 ldp x21, x22, [var_20h] │ │ 0x00401f70 80129f9a csel x0, x20, xzr, ne │ │ 0x00401f74 f35341a9 ldp x19, x20, [var_10h] │ │ 0x00401f78 f71b40f9 ldr x23, [var_30h] │ │ 0x00401f7c fd7bc4a8 ldp x29, x30, [sp], 0x40 └ │ 0x00401f80 c0035fd6 ret ┌ 164: const char *sym.setstate (const char *state); │ `- args(x0) vars(2:sp[0x10..0x20]) │ │ 0x00401f84 fd7bbda9 stp x29, x30, [sp, -0x30]! │ │ 0x00401f88 21008052 mov w1, 1 │ │ 0x00401f8c fd030091 mov x29, sp │ │ 0x00401f90 f35301a9 stp x19, x20, [var_10h] │ │ 0x00401f94 140500b0 adrp x20, 0x4a2000 │ │ 0x00401f98 f30300aa mov x19, x0 ; state │ │ 0x00401f9c f51300f9 str x21, [var_20h] │ │ 0x00401fa0 95b21b91 add x21, x20, 0x6ec │ │ 0x00401fa4 e20315aa mov x2, x21 │ │ 0x00401fa8 00008052 mov w0, 0 │ │ 0x00401fac 39480194 bl sym.__aarch64_cas4_acq │ │ 0x00401fb0 80020035 cbnz w0, 0x402000 │ │ ; CODE XREF from sym.setstate @ 0x402008(x) │ │ 0x00401fb4 e10400f0 adrp x1, 0x4a0000 │ │ 0x00401fb8 21400391 add x1, x1, 0xd0 │ │ 0x00401fbc e00313aa mov x0, x19 │ │ 0x00401fc0 94b21b91 add x20, x20, 0x6ec │ │ 0x00401fc4 330840f9 ldr x19, [x1, 0x10] │ │ 0x00401fc8 fe000094 bl sym.__setstate_r │ │ 0x00401fcc 1f000071 cmp w0, 0 │ │ 0x00401fd0 e10314aa mov x1, x20 │ │ 0x00401fd4 731200d1 sub x19, x19, 4 │ │ 0x00401fd8 00008052 mov w0, 0 │ │ 0x00401fdc 73a29f9a csel x19, x19, xzr, ge │ │ 0x00401fe0 d8480194 bl sym.__aarch64_swp4_rel │ │ 0x00401fe4 1f040071 cmp w0, 1 │ │ 0x00401fe8 2c010054 b.gt 0x40200c │ │ 0x00401fec f51340f9 ldr x21, [var_20h] │ │ 0x00401ff0 e00313aa mov x0, x19 │ │ 0x00401ff4 f35341a9 ldp x19, x20, [var_10h] │ │ 0x00401ff8 fd7bc3a8 ldp x29, x30, [sp], 0x30 │ │ 0x00401ffc c0035fd6 ret │ │ 0x00402000 e00315aa mov x0, x21 │ │ 0x00402004 8b2e0094 bl sym.__lll_lock_wait_private │ │ 0x00402008 ebffff17 b 0x401fb4 │ │ 0x0040200c e00314aa mov x0, x20 │ │ 0x00402010 c42e0094 bl sym.__lll_lock_wake_private │ │ 0x00402014 f51340f9 ldr x21, [var_20h] │ │ 0x00402018 e00313aa mov x0, x19 │ │ 0x0040201c f35341a9 ldp x19, x20, [var_10h] │ │ 0x00402020 fd7bc3a8 ldp x29, x30, [sp], 0x30 └ │ 0x00402024 c0035fd6 ret │ 0x00402028 1f2003d5 nop │ 0x0040202c 1f2003d5 nop │ ; CALL XREF from sym.rand @ 0x401e18(x) ┌ 180: uint32_t sym.random (); │ `- args(sp[0x30..0x30]) vars(4:sp[0x10..0x2c]) │ │ 0x00402030 ffc300d1 sub sp, sp, 0x30 │ │ 0x00402034 21008052 mov w1, 1 │ │ 0x00402038 e00400b0 adrp x0, 0x49f000 │ │ 0x0040203c 002446f9 ldr x0, [x0, 0xc48] │ │ 0x00402040 fd7b01a9 stp x29, x30, [var_10h] │ │ 0x00402044 fd430091 add x29, sp, 0x10 │ │ 0x00402048 f35302a9 stp x19, x20, [var_20h] │ │ 0x0040204c 13050090 adrp x19, 0x4a2000 │ │ 0x00402050 74b21b91 add x20, x19, 0x6ec │ │ 0x00402054 030040f9 ldr x3, [x0] │ │ 0x00402058 e30700f9 str x3, [var_8h] │ │ 0x0040205c 030080d2 mov x3, 0 │ │ 0x00402060 e20314aa mov x2, x20 │ │ 0x00402064 00008052 mov w0, 0 │ │ 0x00402068 0a480194 bl sym.__aarch64_cas4_acq │ │ 0x0040206c e0020035 cbnz w0, 0x4020c8 │ │ ; CODE XREF from sym.random @ 0x4020d0(x) │ │ 0x00402070 e1130091 add x1, sp, 4 │ │ 0x00402074 73b21b91 add x19, x19, 0x6ec │ │ 0x00402078 e00400d0 adrp x0, 0x4a0000 │ │ 0x0040207c 00400391 add x0, x0, 0xd0 │ │ 0x00402080 10010094 bl sym.random_r │ │ 0x00402084 e10313aa mov x1, x19 │ │ 0x00402088 00008052 mov w0, 0 │ │ 0x0040208c ad480194 bl sym.__aarch64_swp4_rel │ │ 0x00402090 1f040071 cmp w0, 1 │ │ 0x00402094 0c020054 b.gt 0x4020d4 │ │ ; CODE XREF from sym.random @ 0x4020dc(x) │ │ 0x00402098 e10400b0 adrp x1, 0x49f000 │ │ 0x0040209c 212446f9 ldr x1, [x1, 0xc48] │ │ 0x004020a0 e00780b9 ldrsw x0, [var_4h] │ │ 0x004020a4 e30740f9 ldr x3, [var_8h] │ │ 0x004020a8 220040f9 ldr x2, [x1] │ │ 0x004020ac 630002eb subs x3, x3, x2 │ │ 0x004020b0 020080d2 mov x2, 0 │ │ 0x004020b4 61010054 b.ne 0x4020e0 │ │ 0x004020b8 fd7b41a9 ldp x29, x30, [var_10h] │ │ 0x004020bc f35342a9 ldp x19, x20, [var_20h] │ │ 0x004020c0 ffc30091 add sp, sp, 0x30 │ │ 0x004020c4 c0035fd6 ret │ │ 0x004020c8 e00314aa mov x0, x20 │ │ 0x004020cc 592e0094 bl sym.__lll_lock_wait_private │ │ 0x004020d0 e8ffff17 b 0x402070 │ │ 0x004020d4 e00313aa mov x0, x19 │ │ 0x004020d8 922e0094 bl sym.__lll_lock_wake_private │ │ 0x004020dc efffff17 b 0x402098 └ │ 0x004020e0 085f0094 bl sym.__stack_chk_fail_local │ 0x004020e4 1f2003d5 nop │ 0x004020e8 1f2003d5 nop │ 0x004020ec 1f2003d5 nop │ ; CALL XREF from sym.__srandom @ 0x401e70(x) │ ; CALL XREFS from sym.__initstate_r @ 0x4022b4(x), 0x402300(x) ┌ 352: sym.srandom_r (int64_t arg1, int64_t arg2); │ `- args(x0, x1) │ │ 0x004020f0 fd7bbfa9 stp x29, x30, [sp, -0x10]! │ │ 0x004020f4 fd030091 mov x29, sp │ │ 0x004020f8 810a00b4 cbz x1, 0x402248 │ │ 0x004020fc 221840b9 ldr w2, [x1, 0x18] ; arg2 │ │ 0x00402100 5f100071 cmp w2, 4 │ │ 0x00402104 280a0054 b.hi 0x402248 │ │ 0x00402108 250840f9 ldr x5, [x1, 0x10] ; arg2 │ │ 0x0040210c 1f000071 cmp w0, 0 ; arg1 │ │ 0x00402110 00149f1a csinc w0, w0, wzr, ne │ │ 0x00402114 a00000b9 str w0, [x5] ; arg1 │ │ 0x00402118 c2070034 cbz w2, 0x402210 │ │ 0x0040211c 231c40b9 ldr w3, [x1, 0x1c] ; arg2 │ │ 0x00402120 7f040071 cmp w3, 1 │ │ 0x00402124 2d080054 b.le 0x402228 │ │ 0x00402128 a6c8238b add x6, x5, w3, sxtw 2 - **Assistant:** 552: 0000000000000000 0 FILE LOCAL DEFAULT ABS write.o 2490: 0000000000418370 208 FUNC WEAK HIDDEN 6 write - **Assistant:** code_len 4 contains 0xd4 False hex c0035fd6 response_text: - **Assistant:** 556: 552: 0000000000000000 0 FILE LOCAL DEFAULT ABS write.o 2494: 2490: 0000000000418370 208 FUNC WEAK HIDDEN 6 write - **Assistant:** I’m going to start assembling a first full AArch64 shellcode attempt (PRNG seed reset → loop rand indices → read permuted flag bytes → write result). First I’ll assemble it in-memory with `clang`, extract the raw `.text` bytes, and verify none of those bytes equals `0xd4` (the service’s forbidden byte). - **Assistant:** b'midnight{00bcdacc0a20c497cca29411b876755d}' ---TEXT--- midnight{00bcdacc0a20c497cca29411b876755d} - **Assistant:** The crafted shellcode successfully executed and printed a candidate flag string from the remote service. Next I’ll post the key exploitation findings (protocol + the exact shellcode approach + the resulting output) to the provided Discord webhook, then I’ll give you the full explanation/solution steps. - **Assistant:** sent - **Assistant:** sent2 - **Assistant:** I attempted a second verification run, but the script is hanging waiting for the `shellcode:` prompt substring (likely due to ANSI/formatting differences). Next I’ll redo the verification using the same simpler approach that worked before: read until `shellcode size`, send the size and immediately send the shellcode bytes, then read the rest with a short timeout and print the decoded result. - **Assistant:** shellcode: midnight{00bcdacc0a20c497cca29411b876755d} - **Assistant:** ### What the service expects `speed5` prints an ASCII banner, then prompts `shellcode size:` and reads that many *raw bytes* from stdin (must be `<= 0x400`). It also rejects your shellcode if **any byte equals `0xd4`**. Then it `mmap`s your shellcode, `mprotect`s it RX, sets up a sandbox, and executes it with **`x0 = flag_region`** (a memory buffer containing the permuted flag). ### What the binary does to the flag Inside the binary, `load_flag`: - reads a 4-byte seed into global `rand_seed` (`0x4a1a40`), - seeds the PRNG (`__srandom(rand_seed)`), - reads the flag bytes into a stack buffer, - allocates `flag_region` (`flag_region` global at `0x4a1a38`, mmap size `0x800000`), - then for each flag byte `i` writes it to `flag_region[idx]` where the index is effectively: - **`idx = rand() & 0x7fffff`** (from the `rand`/mask/`negs`/`and`/`csneg` sequence), so the flag is stored as a deterministic permutation. ### How the shellcode solves it Because that permutation is deterministic from `rand_seed`, the shellcode: 1. loads `rand_seed`, 2. calls `__srandom(rand_seed)` to reset the PRNG, 3. repeatedly computes `idx = rand() & 0x7fffff`, 4. reads `flag_region[idx]` in order and appends bytes until it sees `'}'`, 5. calls `write(1, buf, len)`. I assembled an AArch64 payload (160 bytes) that contains **no `0xd4` bytes**, and sent it to `speed5.play.ctf.se:9119`. It prints: **`midnight{00bcdacc0a20c497cca29411b876755d}`** - **System:** Thread completed